Posted on March 20, 2019
Social Engineering Fraud is a relatively new financial risk facing business.
Common confidence tricksters or fraudsters could be considered “social engineers” in the wider sense, in that they deliberately deceive and manipulate people, exploiting human weaknesses to obtain personal benefit.
They may, for example, use social engineering techniques as part of an IT fraud.
The use of technology and innovative deceptive means has meant that these criminals are having great success in defrauding large sums of money, with high success rates.
The five most common attack types that social engineers use to target their victims are: phishing, pretexting, baiting, quid pro quo and tailgating. New types of attacks such as Watering hole and Whaling attack are now getting more and more popularity.
Phishing attacks are the most common type of attacks leveraging social engineering techniques. Attackers use emails, social media and instant messaging, and SMS to trick victims into providing sensitive information or visiting malicious URL in the attempt to compromise their systems
Phishing attacks present the following common characteristics:
- Messages are composed to attract the user’s attention, in many cases to stimulate his curiosity providing a few information on a specific topic and suggesting that the victims visit a specific website to gain further data.
- Phishing messages aimed to gather user’s information presents a sense of urgency in the attempt to trick the victim into disclosing sensitive data to resolve a situation that could get worse without the victim’s interaction.
- Attackers leverage shortened URL or embedded links to redirect victims to a malicious domain that could host exploit codes, or that could be a clone of legitimate websites with URLs that appear legitimate. In many cases the actual link and the visual link in the email are different, for example, the hyperlink in the email does not point to the same location as the apparent hyperlink displayed to the users.
- Phishing email messages have a deceptive subject line to entice the recipient to believe that the email has come from a trusted source, attackers use a forged sender’s address or the spoofed identity of the organization. They usually copy contents such as texts, logos, images, and styles used on the legitimate website to make it look genuine.
The term pretexting indicates the practice of presenting oneself as someone else to obtain private information. Usually, attackers create a fake identity and use it to manipulate the receipt of information.
Attackers leveraging this specific social engineering technique use adopt several identities they have created during their carrier. This bad habit could expose their operations to the investigations conducted by security experts and law enforcement.
The success of the pretexting attack heavily pretends on the ability’s attacker in building trust
Most advanced forms of pretexting attacks try to manipulate the victims into performing an action that enables an attacker to discover and exploit a point of failure inside an organization.
An attacker can impersonate an external IT services operator to ask internal staff for information that could allow accessing system within the organization.
Baiting exploits the human’s curiosity. Its main characteristic is the promise of a good that hackers use to deceive the victims.
A classic example is an attack scenario in which attackers use a malicious file disguised as software update or as a generic software. An attacker can also power a baiting attack in the physical world, for example disseminating infected USBs tokens in the parking lot of a target organization and wait for internal personnel insert them in the corporate PC. The malware installed on the USB tokens will compromise the PCs gaining the full control to the attacks.
Quid Pro Quo attack (aka ‘something for something’ attack)
This is a variant of baiting and differs in that instead of baiting a target with the promise of a good; a quid pro quo attack promises a service or a benefit based on the execution of a specific action.
In a Quid Pro Quo attack scenario, the hacker offers a service or benefit in exchange for information or access.
The most common quid pro quo attack occurs when a hacker impersonates an IT staffer for a large organization. That hacker attempts to contact via phone the employees of the target organization then offers them some kind of upgrade or software installation.
They might request victims to facilitate the operation by disabling the AV software temporarily to install the malicious application.
The tailgating attack, also known as “piggybacking,” involves an attacker seeking entry to a restricted area which lacks the proper authentication-
The attacker can simply walk in behind a person who is authorized to access the area. In a typical attack scenario, a person impersonates a delivery driver or a caretaker who is packed with parcels and waits when an employee opens their door. The attacker asks that the employee hold the door, bypassing the security measures in place (i.e. Electronic access control)
A watering hole” attack consists of injecting malicious code into the public Web pages of a site that the targets used to visit. The method of injection is not new, and it is commonly used by cyber criminals and hackers. The attackers compromise websites within a specific sector that are ordinary visited by specific individuals of interest for the attacks.
Once a victim visits the page on the compromised website a backdoor trojan is installed on his computer, Watering Hole method of attacks is very common for cyber espionage operation or state-sponsored attacks.
Whaling is another evolution of phishing attacks that uses sophisticated social engineering techniques to steal confidential information, personal data, access credentials to restricted services/resources, and specifically information with relevant value from an economic and commercial perspective.
What distinguishes this category of phishing from others is the choice of targets: relevant executives of private business and government agencies. The word whaling is used, indicating that the target is a big fish to capture.
New types of cyber-attacks and social engineering fraud are finding their way to their victims every day. Businesses need to be aware of the immediate risk of losses and inability to claim any compensation.
Our insurance brokers Scott & Broad have recently developed some risk management steps to help their clients avoid or limit the risks of falling victim to ‘Social Engineering Fraud’.
We are happy to share these steps with you and hope the recommendations will assist our business clients to implement the right risk management procedures and remain adequately insured against social engineering fraud risk.
What is Social Engineering Fraud? This is the intentional misleading of a staff member,
through misrepresentation of a material fact which is relied upon, believing it be genuine.
- Social Engineering Fraud has emerged as a serious threat and companies can quickly forfeit large amounts of money if they are not prepared
- The fraudsters are becoming more and more intelligent in their deception, meaning we are seeing many cases of social engineering fraud reported to our
- Such is the problem, that Insurers are starting to restrict cover, impose conditions or even remove cover entirely.
- Many policies impose conditions that remove or reduce the cover unless the Policyholder can demonstrate that reasonable steps are in place to prevent the financial loss.
What to look out for?
• Requests to change banking details for customers or suppliers
• Unusual or unexpected invoices
• Unusual email requests purporting to be from senior managers to make urgent payments
often with repeated follow ups.
• Errors in email addresses, spelling mistakes, or poor grammar in communications.
What can you do to prevent being a victim of Social Engineering Fraud?
• Verify by telephone, new customer or supplier bank account information (including name,
address and bank account number) prior to initiating any financial transaction with such
supplier or customer
Verify by telephone all requests to change banking or contact information
• Implement call back procedures with customers or suppliers to authenticate any fund
• All unusual or urgent payment instructions purporting to come from senior management are
followed up by call-backs to senior management to confirm payment instructions and check
• Supervisor or next-level approval is always required prior to any change to vendor and
supplier bank accounts
• Vendor and supplier lists are regularly reviewed and exception reports run showing all
changes to vendor and supplier details
• Requests for authentication of bank account details or requests for information on bank
account details purporting to come from bank officials, are raised with senior management
and followed up with the bank to confirm the authenticity of such requests
• Implement a secondary approval process from within the business before initiating funds
transfers or changing third party bank account details.
• Train all finance employees on anti – fraud, scams, phishing, malware and social
• Develop a Social Engineering Fraud risk management strategy based on the above and
alert all staff, at all locations, of the risks of Social Engineering Fraud
Source: Andrew Miller (Scott & Broad)